What is Impacket?

Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB,SMB and MSRPC (a.k.a. DCERPC). Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies.

The following protocols are featured in Impacket

The following tools are featured in Impacket

secretsdump.py

Performs various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp dir) and read the rest of the data from there. For NTDS.dit, we have to extract NTDS.dit via vssadmin executed with the smbexec approach. It's copied on the temp dir and parsed remotely. The scripts initiates the services required for its working if they are not available (e.g. Remote Registry, even if it is disabled). After the work is done, things are restored to the original state.

psexec.py

PSEXEC like functionality example using RemComSvc (https://github.com/kavika13/RemCom)

services.py

[MS-SCMR] use to manipulate windows services. It supports start, stop, delete, status, config, list, create and change.

mssqlclient.py

An MSSQL client, supporting SQL and Windows Authentications (hashes too). It also supports TLS

mssqlinstance.py

Retrieves the MSSQL instances names from the target host

esentutl.py

Allows dumping catalog, pages and tables of ESE databases (e.g. NTDS.dit)

ntfs-read.py

Mini shell for browsing an NTFS volume

smbrelayx.py

This module performs the SMB Relay attacks originally discovered by cDc. It receives a list of targets and for every connection received it will choose the next target and try to relay the credentials. Also, if specified, it will first to try authenticate against the client connecting to us.
It is implemented by invoking a SMB and HTTP Server, hooking to a few functions and then using the smbclient portion. It is supposed to be working on any LM Compatibility level. The only way to stop this attack is to enforce on the server SPN checks and or signing.
If the authentication against the targets succeed, the client authentication success as well and a valid connection is set against the local smbserver. It's up to the user to set up the local smbserver functionality. One option is to set up shares with whatever files you want to the victim thinks it's connected to a valid SMB server. All that is done through the smb.conf file or programmatically.

rdp_check.py

[MS-RDPBCGR] and [MS-CREDSSP] partial implementation just to reach CredSSP auth. This example test whether an account is valid on the target host.

registry-read.py

A Windows offline registry Reader example

smbexec.py

A similar approach to psexec w/o using RemComSvc. The technique is described here http://blog.accuvant.com/rdavisaccuvant/owning-computers-without-shell-access/. Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.

rpcdump.py

An application that communicates with the Endpoint Mapper interface from the DCE/RPC suite. This can be used to list services that are remotely available through DCE/RPC.

samrdump.py

An application that communicates with the Security Account Manager Remote interface from the DCE/RPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.

smbclient.py

A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It's an excellent example to see how to use impacket.smb in action.

smbserver

A python implementation of an SMB (only v1) server.

ifmap.py

First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is listed and/or listening.

lookupsid.py

A Windwows SID brute forcer example, aiming at finding remote users/groups

opdump.py

This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first 256 operation numbers in turn and reports the outcome of each call.

atexec.py

This example executes a command on the target machine through the Task Scheduler service. Returns the output of such command

Source code

Setup

Documentation

Most documentation is included in the source as Python's doc comments, but were are some examples upon which you can base your own programs:

Licensing

This software is provided under a slightly modified version of the Apache Software License. Feel free to review it here and compare it to the official Apache Software License.

Contact Us

Whether you want to report a bug, send a patch or give some suggestions on this package, drop us a few lines at oss- at -coresecurity.com.

Description

Title
Impacket
Release date
2003
License type
Apache

Attachments

-